[MERGE] Make sure we pass only lists, tuples or dicts to Cursor.execute().
This fixes a call in the login code where a single untupled string was passed. Psycopg does not see the problem: it iterates over the string, and as long as the string length matches the number of needed parameters, everything seems fine. Yeah for dynamic typing and SQL queries. bzr revid: vmt@openerp.com-20121016125408-q537r71k5cisyxs0
This commit is contained in:
commit
a3cef23827
|
@ -409,8 +409,8 @@ class res_users(osv.osv):
|
|||
# prevent/delay login in that case. It will also have been logged
|
||||
# as a SQL error, if anyone cares.
|
||||
try:
|
||||
cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", str(user_id))
|
||||
cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", str(user_id))
|
||||
cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", (user_id,))
|
||||
cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", (user_id,))
|
||||
except Exception, e:
|
||||
_logger.exception("Failed to update last_login for db:%s login:%s", db, login)
|
||||
except openerp.exceptions.AccessDenied:
|
||||
|
|
|
@ -215,6 +215,9 @@ class Cursor(object):
|
|||
_logger.warning(query)
|
||||
_logger.warning("SQL queries cannot contain %d or %f anymore. "
|
||||
"Use only %s")
|
||||
if params and not isinstance(params, (tuple, list, dict)):
|
||||
_logger.error("SQL query parameters should be a tuple, list or dict; got %r", params)
|
||||
raise ValueError("SQL query parameters should be a tuple, list or dict; got %r" % (params,))
|
||||
|
||||
if self.sql_log:
|
||||
now = mdt.now()
|
||||
|
|
|
@ -9,7 +9,7 @@ See the :ref:`test-framework` section in the :ref:`features` list.
|
|||
"""
|
||||
|
||||
from . import test_expression, test_html_sanitize, test_ir_sequence, test_orm,\
|
||||
test_view_validation, test_uninstall, test_misc
|
||||
test_view_validation, test_uninstall, test_misc, test_db_cursor
|
||||
|
||||
fast_suite = [
|
||||
test_ir_sequence,
|
||||
|
@ -18,6 +18,7 @@ fast_suite = [
|
|||
checks = [
|
||||
test_expression,
|
||||
test_html_sanitize,
|
||||
test_db_cursor,
|
||||
test_orm,
|
||||
test_view_validation,
|
||||
test_misc,
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
|
||||
import unittest2
|
||||
|
||||
import openerp
|
||||
from openerp.tools.misc import mute_logger
|
||||
import common
|
||||
|
||||
DB = common.DB
|
||||
ADMIN_USER_ID = common.ADMIN_USER_ID
|
||||
|
||||
def cursor():
|
||||
return openerp.modules.registry.RegistryManager.get(DB).db.cursor()
|
||||
|
||||
|
||||
class test_cr_execute(unittest2.TestCase):
|
||||
""" Try cr.execute with wrong parameters """
|
||||
|
||||
@mute_logger('openerp.sql_db')
|
||||
def test_execute_bad_params(self):
|
||||
"""
|
||||
Try to use iterable but non-list or int params in query parameters.
|
||||
"""
|
||||
cr = cursor()
|
||||
with self.assertRaises(ValueError):
|
||||
cr.execute("SELECT id FROM res_users WHERE login=%s", 'admin')
|
||||
with self.assertRaises(ValueError):
|
||||
cr.execute("SELECT id FROM res_users WHERE id=%s", 1)
|
||||
with self.assertRaises(ValueError):
|
||||
cr.execute("SELECT id FROM res_users WHERE id=%s", '1')
|
||||
|
||||
# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
|
Loading…
Reference in New Issue